Stop of logging of No Valid Signature Found

Mark Andrews marka at isc.org
Tue Feb 26 01:15:11 UTC 2013 

In message <512C09F5.4040400 at htt-consult.com>, Robert Moskowitz writes:
> On 02/25/2013 03:25 PM, Robert Moskowitz wrote:
> >
> > On 02/25/2013 02:33 PM, Robert Moskowitz wrote:
> >>
> >> On 02/25/2013 02:00 PM, Casey Deccio wrote:
> >>> On Mon, Feb 25, 2013 at 5:09 AM, Robert Moskowitz 
> >>> <rgm at htt-consult.com <mailto:rgm at htt-consult.com>> wrote:
> >>>
> >>>     Yes, I know lots of places don't have DNSSEC signed zones.
> >>>      **I** have not done mine yet, but I turned on DNSSEC checking
> >>>     on my server and I am getting all too many messages like:
> >>>
> >>>           validating @0xb4247b50: 117.in-addr.arpa NSEC: no valid
> >>>     signature found: 1 Time(s)
> >>>           validating @0xb4247b50: 117.in-addr.arpa SOA: no valid
> >>>     signature found: 1 Time(s)
> >>>
> >>>
> >>> Yes, but 117.in-addr.arpa *is* signed [1], so if you're not getting 
> >>> signatures, that's problematic.
> >>
> >> So that is not good.  This is over port 53, right?  I have that open 
> >> for udp and tcp.  My general options section has:
> >>
> >>     dnssec-enable yes;
> >>     dnssec-validation yes;
> 
> digging back in the archive here, I find out this should be
> 
>      dnssec-validation auto;

Actually it can be either.  It's all a matter of how you want to
setup your trust anchors.  For private root zones it is absolutely
the wrong thing to do.

> And now I don't have all those false no valid sig messages and I can 
> look for the NEXT problem.
> 
> >>     dnssec-lookaside auto;
> >>
> >>     /* Path to ISC DLV key */
> >>     bindkeys-file "/etc/named.iscdlv.key";
> >>
> >>     managed-keys-directory "/var/named/dynamic";
> >>
> >>
> 
> 
> --------------040909030006030801080707
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
> 
> <html>
>   <head>
>     <meta content="text/html; charset=ISO-8859-1"
>       http-equiv="Content-Type">
>   </head>
>   <body bgcolor="#FFFFFF" text="#000000">
>     <br>
>     <div class="moz-cite-prefix">On 02/25/2013 03:25 PM, Robert
>       Moskowitz wrote:<br>
>     </div>
>     <blockquote cite="mid:512BC8D6.2030806 at htt-consult.com" type="cite">
>       <meta http-equiv="Context-Type" content="text/html;
>         charset=ISO-8859-1">
>       <br>
>       <div class="moz-cite-prefix">On 02/25/2013 02:33 PM, Robert
>         Moskowitz wrote:<br>
>       </div>
>       <blockquote cite="mid:512BBC82.4080000 at htt-consult.com"
>         type="cite"> <br>
>         <div class="moz-cite-prefix">On 02/25/2013 02:00 PM, Casey
>           Deccio wrote:<br>
>         </div>
>         <blockquote
> cite="mid:CAEKtLiSLdsWZ8odu6LR+R=-O4sYuSAQVqfnaQMoe8cgyW5vG7Q at mail.gmail.com"
>           type="cite"> On Mon, Feb 25, 2013 at 5:09 AM, Robert Moskowitz
>           <span dir="ltr"><<a moz-do-not-send="true"
>               href="mailto:rgm at htt-consult.com" target="_blank">rgm at htt-consu
> lt.com</a>></span>
>           wrote:<br>
>           <div class="gmail_quote">
>             <blockquote class="gmail_quote"> Yes, I know lots of places
>               don't have DNSSEC signed zones.  **I** have not done mine
>               yet, but I turned on DNSSEC checking on my server and I am
>               getting all too many messages like:<br>
>               <br>
>                     validating @0xb4247b50: 117.in-addr.arpa N
> SEC: no
>               valid signature found: 1 Time(s)<br>
>                     validating @0xb4247b50: 117.in-addr.arpa S
> OA: no
>               valid signature found: 1 Time(s)<br>
>             </blockquote>
>             <div><br>
>               Yes, but 117.in-addr.arpa *is* signed [1], so if you're
>               not getting signatures, that's problematic.<br>
>             </div>
>           </div>
>         </blockquote>
>         <br>
>         So that is not good.  This is over port 53, right?  I have 
> that
>         open for udp and tcp.  My general options section has:<br>
>         <br>
>             dnssec-enable yes;<br>
>             dnssec-validation yes;<br>
>       </blockquote>
>     </blockquote>
>     <br>
>     digging back in the archive here, I find out this should be<br>
>     <br>
>         dnssec-validation auto;<br>
>     <br>
>     And now I don't have all those false no valid sig messages and I can
>     look for the NEXT problem.<br>
>     <br>
>     <blockquote cite="mid:512BC8D6.2030806 at htt-consult.com" type="cite">
>       <blockquote cite="mid:512BBC82.4080000 at htt-consult.com"
>         type="cite">     dnssec-lookaside auto;<br>
>         <br>
>             /* Path to ISC DLV key */<br>
>             bindkeys-file "/etc/named.iscdlv.key";<br>
>         <br>
>             managed-keys-directory "/var/named/dynamic";<br>
>         <br>
>         <br>
>       </blockquote>
>     </blockquote>
>     <br>
>   </body>
> </html>
> 
> --------------040909030006030801080707--
> 
> --===============3835226412723589147==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============3835226412723589147==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list